"BB Platform Brush lesson Record" Wireshark combined with case study grasping bag

"BB Platform Brush lesson Record" Wireshark combined with case study grasping bag

Background: The school situation and policy courses need to watch the video on the way to repair the credit, the video page comes with a "player cannot fast forward + leave the window automatically pause + read a set unlock the next episode (that can not simultaneously brush multiple sets)" magic skills, given the video a total of 10 episodes each episode more than 30 minutes, The vast number of students miserable (this is the background ~)

As a technical person, of course, can not tolerate this waste of time to happen! Time is the most valuable should be used to learn! Learn! Learn! (funny) So I initially made a small (brush) support based on the key Wizard + image recognition (Class) Hand (machine), but the obvious disadvantage is that although the class can be automatically brushed, but the computer should be hanging, can not do anything else. What the?! A few hours of brush class time inside can no longer move computer?! is to endure what (uncle) can not endure!

Recently accidentally get an artifact, not only can automatically complete the above process and the speed is amazing, so black technology, must understand the principle! The heart itches and began today's analysis of the journey ~

----I am the split line of Moe-----

first, observe the work flow of the small (brush) (Class) Hand ():

Figure one: When opened the software embedded browser will access the online teaching system login page

Prevent the water meter, the login address is called http://bb.bilbil.edu.cn/(which of course is not true)

Figure 2: Jump to a page after entering your account password

I simulated a bit in the browser, get a jump after the address of Http://bb.bilbil.edu.cn/webapps/portal/frameset.jsp?tab_tab_group_id=_2_1

Figure 3 Click to start to watch, wait for the progress bar to end, the prompt to watch finished ....

Then I went to check it out, sure enough, more than 10 episodes of video are unlocked (at this time is not sure just unlocked, or really have watched)

With the heart of the feeling of joy and guilt, I set the progress bar from 0% to 100% to pull a bit, in case there is no "watch complete" Server submitted ~ (later confirmed not necessary)

Start thinking and analyzing:

Depending on the process, the key to the hack is figuring out what's going on between the software and the server as the third-step progress bar goes .

This is the time to sacrifice an artifact Wireshark

Wireshark_ Baidu Encyclopedia

Wireshark (formerly known as Ethereal) is a network packet analysis software. The function of the network packet analysis software is to retrieve the network packet and display the most detailed network packet information as far as possible.

The first thing to know is that Wireshark will grab all the bags from the computer (QQ, 360, browser, etc.) but we just send and receive packets between the computer and the online classroom server.

So the first step: Ping bb.bilbil.edu.cn with the command line and get the IP address of the online classroom server 202.103.223.101

Second step open Wireshark start grab packet and set filter condition HTTP && ip.addr==202.103.223.101

The third step is to open the brush class, repeat the process of brushing the lesson, at which time the Wireshark window will show the packets caught during the communication with 202.103.223.101 (here only the packet of HTTP protocol)

If this step Wireshark window does not have any package that may be the NIC did not choose the right, re-select the network card to grab the packet

The 4th step to analyze the data, here is the most headache, I will try to explain in detail

First here is a trick, note that the 1th column No, is the sequence number in chronological order, in the brush lesson software operation, each click on the operation, record the no number at the time, in favor of the analysis of the time to know what the operation of the packet triggered, can save a lot of time.

I recorded it.

Operation	Click Sign In	Click to brush Lesson
No	314~4771	~5761

So choose to log in after the click on the brush class, that is, the package from the number 4771 to see (Save unnecessary time)

See the following regular data packets are constantly repeating, guess is that the content can be a one of the lesson brush. Analysis of packets between 5227 and 5245 (for a repeating period) estimates will be clear

Pack 5227

Post/webapps/bb-floatmediaguilin-bb_bb60/execute/medialog?cmd=initlog&course_id=_1083_1&folderparentid =0 http/1.1\r\n

The key to this sentence, post is the data receive address and some parameters, the data is Video_id=_144_1

Receive Reply Pack 5245

Reply is a json:{"timer": 0, "status": 1, "videoid": "_144_1", "Logid": "_503659_1"} (temporarily do not know what the role is, continue to see the next package)

Pack 5247

Post to Post/webapps/bb-floatmediaguilin-bb_bb60/execute/medialog?cmd=videoendplay http/1.1\r\n

The data is videolog_id=_503659_1&video_id=_144_1 (this is not exactly the JSON value received by the previous packet)

So the last post in order to get videolog_id=_503659_1, and Video_id=_144_1 is always known (should be labeled different sets of video),

And the two values post to Execute/medialog?cmd=videoendplay, literally see, is to simulate the completion of the browser to the server sent to the flag.

Repeat the next cycle of the package 5251~5265, only the video_id is changing, the above conjecture is correct.

This concludes the analysis.

Actual combat! Replay attack

The above are purely theoretical analysis, a lot of children's shoes to say, analysis of the top bird use! It is the kingly way to do it yourself! Here is to bring you to experiment with my guess is correct ~ ~

1. According to the above conjecture, the main means of implementation is post, since it is post, directly with the JS code can be completed

The following stickers I wrote the verification code (understand JS children's shoes to see what is going on)

varXML =NewXMLHttpRequest (), res= "; varurl = "/webapps/bb-floatmediaguilin-bb_bb60/execute/medialog?cmd=initlog&course_id=_1083_1& Folderparentid=0 "; Xml.open (' POST ', url,true); Xml.setrequestheader ("Content-type", "application/x-www-form-urlencoded"); Xml.onreadystatechange=function () {        if(Xml.readystate = = 4) {            if(Xml.status = = 200) {                //Console.log (xml.responsetext);res = eval (' (' + xml.responsetext + ') '); //Console.log ("videolog_id=" +res.logid+ "&video_id=" +res.videoid);                varurl = "/webapps/bb-floatmediaguilin-bb_bb60/execute/medialog?cmd=videoendplay"; Xml.open (' POST ', url,true); Xml.setrequestheader ("Content-type", "application/x-www-form-urlencoded"); Xml.onreadystatechange=function () {                    if(Xml.readystate = = 4) {                        if(Xml.status = = 200) {console.log (xml.responsetext); }}} xml.send ("Videolog_id=" +res.logid+ "&video_id=" +res.videoid); }}} xml.send ("Video_id=_144_1");//Brush the first video fill _144_1, the second video is filled _144_2 so on

Unwind Code

How to Eat: Copy the code, log in your own account, open the browser console, paste inside the console, enter the wait for a moment, refresh the page!! Refresh the page!! Refresh the page!! Back to the video playback page, the first video has been unlocked \ playback is complete.

Code word is not easy, music in the sharing, in the technical struggle on the road of children's shoes mutual encouragement ~

End, Sprinkle flowers ~

Revelation: For the avoidance of disputes, the IP addresses and URLs used herein are fabricated, aimed at exchanging technology, we are good children ~ do not play with fire

"BB Platform Brush Lesson" Wireshark combined with case study grab bag